Terraform Modules I Wish I Had on Day One

Every cloud engineer eventually arrives at the same realisation: the first Terraform codebase you write is basically a lesson in what not to do. Here are the modules I keep reaching for on every project, and what makes each of them worth extracting.

1. The VPC Module

Copy-pasting CIDR blocks and subnet calculations across projects is a reliable way to create IP conflicts at 2 AM. A module that accepts a single cidr_block and generates public, private, and intra subnets eliminates the whole problem:

module "vpc" {
  source  = "./modules/vpc"
  name    = "production"
  cidr    = "10.0.0.0/16"
  azs     = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
}

2. The Least-Privilege IAM Role Module

Writing IAM policies by hand invites scope creep. A module that takes a list of allowed actions and resource ARNs makes least-privilege the path of least resistance:

module "lambda_role" {
  source  = "./modules/iam-role"
  name    = "image-processor"
  actions = ["s3:GetObject", "dynamodb:PutItem"]
  resources = [
    aws_s3_bucket.images.arn,
    aws_dynamodb_table.results.arn,
  ]
}

3. The Serverless API Module

Lambda + API Gateway + CloudWatch Logs is four resources every time. Wrapping them in a module cuts new endpoint setup to a single block and keeps naming conventions consistent across the board.